On Tue, 7 Dec 2004, Gandalf The White wrote: > >From my reading it appears that you need the original source to create the > doppelganger blocks. It also appears that given a MD5 hash you could not > create a input that would give that MD5 back. Passwords encoded with MD5 > would not fall prey to your discovery. Is this correct? My understanding is similar to yours. However, imagine a PKI system in, say, a contract management system. Let's say you can write a valid word document with a section of text that can be "swapped" out. That can be a problem. It breaks non-repudiation - someone could create such a "swappable" contract and go to court and say "Yes, that's a valid signature, but I really signed *THIS* document which just happens to have an identical signature." Of course if I was called upon to testify, I would respond, "Yes, but it is clear this contract was written with the intent to defraud us, as to get this property, it has to be constructed in a very specific mind with this fraud in mind at time of contract origination..." -- Joel